Talking To...: Michael Howard Discusses the Secure Windows Initiative

Welcome Sign in

Developer Centers

MSDN Home

MSDN Magazine

Printer Friendly Version

Send

Talking To...: Michael Howard Discu...

Share this Page

	Live Favorites
	DotNet Kicks
	Digg
	Slashdot
	del.icio.us
	Yahoo!
	Technorati
	ma.gnolia
	reddit

CLR Inside Out: Security In Silverlight 2

Andrew Dai of the CLR team discusses the Transparency model, which creates a strong isolation boundary between privileged and unprivileged code for Silverlight apps.

By Andrew Dai (October 2008)

Basic Instincts: Dynamic Data Entry With XML Literals

Learn how to use Windows Presentation Foundation (WPF), XAML, and the deep XML support in Visual Basic to generate user interfaces dynamically.

By Beth Massi (October 2008)

Service Station: Authorization In WCF-Based Services

Windows Communication Foundation (WCF) provides an easy role-based system and a more powerful and complex claims-based API for implementing authorization in services.

By Dominick Baier and Christian Weyer (October 2008)

Security Briefs: SDL Embraces The Web

In this installment we introduce you to new Web-oriented security guidance and tools straight from the Security Development Lifecycle (SDL) team at Microsoft.

By Bryan Sullivan (September 2008)

More ...

Object reference not set to an instance of an object.

Popular Articles

Robotics: Simulating the World with Microsoft Robotics Studio

Microsoft Robotics Studio is not just for playing with robots. It also allows you to build service-based applications for a wide range of hardware devices.

By Sara Morgan (June 2008)

MOSS 2007: Automate Web App Deployment with the SharePoint API

Learn how to automate custom SharePoint application deployments, use the SharePoint API, and avoid the hassle of custom site definitions.

By E. Wilansky, P. Olszewski, and R. Sneddon (May 2008)

Form Filler: Build Workflows to Capture Data and Create Documents

Learn how to create a workflow that uses InfoPath forms and other office documents for passing data to targeted activities and for use in Office documents.

By Rick Spiewak (June 2008)

ASP.NET AJAX 4.0: New AJAX Support For Data-Driven Web Apps

Here is an ASP.NET AJAX data-driven Web application that takes the best features from server- and client-side programming to deliver an efficient, user-friendly experience.

By Bertrand Le Roy (October 2008)

More ...

Read the Blog

Patterns In Practice: Cohesion And Coupling

Well designed code keeps things that have to change together as close together in the code as possible and allows unrelated things in the code to change independently, while minimizing duplication in the code. In the October 2008 issue of MSDN Magazine, Jeremy Miller shows you some design ...
Read more!

Going Places: Ink-Enabled Apps For Tablet PC

The process for ink capture and analysis on the Tablet PC is straightforward in managed code. To the uninitiated developer, however, creating unmanaged Tablet PC applications can be rather daunting. In the October 2008 issue of MSDN Magazine, Gus Class a quick introduction to the Tablet PC ...
Read more!

Parallel Programming with Visual Studio

Multicore systems are becoming increasingly prevalent, but the majority of software today will not automatically take advantage of this additional processing ability. And multithreaded programming, for anything but the most trivial of systems, is incredibly difficult and error prone today. In the October 2008 issue of MSDN ...
Read more!

Design Considerations For Parallel Programming

Concurrent programming is notoriously difficult, even for experts. You have all of the correctness and security challenges of sequential programs plus all of the difficulties of parallelism and concurrent access to shared resources. In the October 2008 issue of MSDN Magazine, David Callahan describes ...
Read more!

Cutting Edge: Building A Secure AJAX Service Layer

A major advantage of AJAX and Silverlight applications is that they can transparently and continuously interact with a back-end service. The problem is that they run over HTTP, which wasn't designed with security in mind. In the September 2008 issue of MSDN Magazine, Dino Esposito shows you ...
Read more!

CLR Inside Out: Unhandled Exception Processing In The CLR

Unhandled exception processing shouldn't be a mystery. It's actually quite useful since it gives a crashing application an opportunity to perform last-minute diagnostic logging about what went wrong. In the September 2008 issue of MSDN Magazine, Gaurav Khanna discusses how ...
Read more!

More ...

Talking To...

Michael Howard Discusses the Secure Windows Initiative

The growth of interconnected computers in recent years has pushed security concerns to the forefront of development and application design. The Microsoft effort, dubbed the Secure Windows Initiative (SWI), focuses on securing new and legacy code. A key player on the Secure Windows Initiative team is Senior Security Program Manager Michael Howard. Michael has a long history working on security-related issues and has written two books along the way—Writing Secure Code and Designing Secure Web-based Applications for Windows 2000 (both from Microsoft Press).

Erica Wiechers, co-host of the .NET Show on MSDN, sat down with Michael recently for an update on the security effort. Here's what he had to say.

MSDN Microsoft is heavily focused on security issues these days. How has the thinking about security changed over the past few years at Microsoft?

Howard Simply put—threats have changed, and all software must adapt to reflect the changing, and frankly, more dangerous landscape. Security—and by security I don't mean security features, I mean secure features—is at the forefront of everyone's thoughts at Microsoft. What was previously the domain of a small bunch of specialists is now part of daily life in the various Microsoft product groups. It's part of getting the job done. And Bill's January 2002 e-mail on Trustworthy Computing has added a huge impetus and urgency to the process.

MSDN What is the main charter of the Secure Windows Initiative group at Microsoft?

Howard Our role is simple: help product groups build more secure products. Our ultimate goal is to put our group out of business by seeding product groups with expertise, helping them design, develop, test, and document their products correctly and securely. All product teams should get to a stage where their security effort is self-sufficient over time, but we are in the building phase right now, so our group performs a great deal of hand holding until the teams can run on their own.

MSDN Describe your role in that group.

Howard I have many roles including security education, research, consulting, and writing. The education aspect is critical—in general it's rare to find new developers who understand how to build secure software, so our group fills that gap. I probably spend an average of six hours a week educating people. I also spend time researching things such as new threat modeling methods, determining attack profiles, and new vulnerability types. Because of the SWI charter, I also spend a good chunk of my time working with other product groups to make sure they are on track, answer questions, go over designs, code, threats, test plans, and so on.

MSDN What are some projects you are currently working on?

Howard You name it! We just finished working with Windows XP SP1 and Visual Studio .NET 2003; now we're onto Windows Server 2003, SQL Server, Microsoft Office, the next big Visual Studio .NET release, and much, much more.

MSDN What do you see as the biggest challenge that developers face while trying to code secure applications?

Howard Legacy code is definitely the biggest challenge in that respect. We think we have the new code pretty much solved. People know the right things to do now that we have provided mandatory training, set security rules in place, improved the tools, and created a huge security awareness company-wide. However, attackers target legacy code as well as new code, and the role of the various security pushes is to fix issues in both old and new code. We can task people here at Microsoft to review and fix all code, old and new, and make it part of their job.

MSDN What security features would you like to see incorporated into future Microsoft products?

Howard I would like to see people not focus on security features. In fact, I truly believe that the biggest security benefit we can provide our customers is to install only critical features by default. If the user wants to enable other features, then they should be optional installs.

I say this because we can create products that defend against the threats we know about today. Of course, there will be new threats in the future that we do not know about today, and if a feature has such a vulnerability and it is installed by default, the user of that particular feature is automatically susceptible to attack and will need to deploy a security fix quickly. However, if the feature is rarely used and not running by default, then it cannot be attacked. Therefore, the path deployment urgency is vastly reduced. In short, if a feature is not used by 90 percent of the product's users, then the feature should be disabled by default.

Product Families

Resources

About Microsoft

Popular Places

Popular Searches

Popular Downloads